Wednesday, January 4, 2017

Windbg: raw dumping of usermode memory

This script works fine for me and dumps all the MEM_COMMIT pages to the specified folder:

.foreach /ps 6 (place  {!address -o:1 /f:MEM_COMMIT}) {   .foreach /pS a /ps 100 (size  {!address place }) { .echo place size; .writemem c:\dir2export\prefix${place} place L?${size}; } }

How to use:
- change "c:\dir4data" to your directory name;
- change "prefix" to the appropriate file prefix or remove it at all;

Do not forget that Windbg doesn't understand multi-line scripts and !address extension works differently in the kernel-mode environment.

UPD. For some strange reason Windbg randomly shows can't access the memory error, but the next run of script completes successfully.

UPD2. Also the script is useful for full memory search:
// 8 bytes
.foreach /ps 6 (place  {!address -o:1 /f:MEM_COMMIT}) { .foreach /pS a /ps 100 (size  {!address place }) { s -q ${place} L?${size}/8 put-variable-here; } }
// 4 bytes
.foreach /ps 6 (place  {!address -o:1 /f:MEM_COMMIT}) { .foreach /pS a /ps 100 (size  {!address place }) { s -d ${place} L?${size}/4 put-variable-here; } }

etc

No comments: